ODBC-479 Using SQLGetData with column > column count could crash

lawrinn · lawrinn · commit 0e0adf711d68 · 2025-11-23T22:26:26.000+01:00
the driver. Actually in most cases.
The check stood after the place where certain arrays(storting data
on offets to start reading the data from) were read using
that index - basically it could read past allocated area.
diff --git a/ma_statement.c b/ma_statement.c
@@ -2989,8 +2989,7 @@ SQLRETURN MADB_StmtGetData(SQLHSTMT StatementHandle,
   IrdRec= MADB_DescGetInternalRecord(Stmt->Ird, Offset, MADB_DESC_READ);
   if (!IrdRec)
   {
-    MADB_SetError(&Stmt->Error, MADB_ERR_07009, NULL, 0);
-    return Stmt->Error.ReturnValue;
+    return MADB_SetError(&Stmt->Error, MADB_ERR_07009, NULL, 0);
   }
 
   switch (TargetType) {
diff --git a/odbc_3_api.c b/odbc_3_api.c
@@ -1563,6 +1563,7 @@ SQLRETURN SQL_API SQLGetData(SQLHSTMT StatementHandle,
   MADB_Stmt *Stmt= (MADB_Stmt*)StatementHandle;
   unsigned int i;
   MADB_DescRecord *IrdRec;
+  unsigned int columnCount= 0;
 
   if (StatementHandle== SQL_NULL_HSTMT)
     return SQL_INVALID_HANDLE;
@@ -1581,6 +1582,12 @@ SQLRETURN SQL_API SQLGetData(SQLHSTMT StatementHandle,
     return MADB_GetBookmark(Stmt, TargetType, TargetValuePtr, BufferLength, StrLen_or_IndPtr);
   }
 
+  /* This parameter validation has to be done before using it as array index */
+  if (Col_or_Param_Num > (columnCount= mysql_stmt_field_count(Stmt->stmt)))
+  {
+    return MADB_SetError(&Stmt->Error, MADB_ERR_07009, NULL, 0);
+  }
+
   /* We don't need this to be checked in case of "internal" use of the GetData, i.e. for internal needs we should always get the data */
   if ( Stmt->CharOffset[Col_or_Param_Num - 1] > 0
     && Stmt->CharOffset[Col_or_Param_Num - 1] >= Stmt->Lengths[Col_or_Param_Num - 1])
@@ -1594,7 +1601,7 @@ SQLRETURN SQL_API SQLGetData(SQLHSTMT StatementHandle,
   }
 
   /* reset offsets for other columns. Doing that here since "internal" calls should not do that */
-  for (i=0; i < mysql_stmt_field_count(Stmt->stmt); i++)
+  for (i=0; i < columnCount; i++)
   {
     if (i != Col_or_Param_Num - 1)
     {
diff --git a/test/param.c b/test/param.c
@@ -1,6 +1,6 @@
   /*
   Copyright (c) 2001, 2012, Oracle and/or its affiliates. All rights reserved.
-                2013, 2024 MariaDB Corporation AB
+                2013, 2025 MariaDB Corporation AB
 
   The MySQL Connector/ODBC is licensed under the terms of the GPLv2
   <http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>, like most
@@ -988,14 +988,16 @@ ODBC_TEST(t_bug59772)
 #undef ROWS_TO_INSERT
 }
 
-
+/* Enhanced it to also cover ODBC-479 SQLGetData with non-existent column index could crash
+   the driver */
 ODBC_TEST(t_odbcoutparams)
 {
   SQLSMALLINT ncol, i;
   SQLINTEGER  par[3]= {10, 20, 30}, val;
   SQLLEN      len;
   SQLSMALLINT type[]= {SQL_PARAM_INPUT, SQL_PARAM_OUTPUT, SQL_PARAM_INPUT_OUTPUT};
   SQLCHAR     str[20]= "initial value", buff[20];
+  double      dummy= .0;
 
   OK_SIMPLE_STMT(Stmt, "DROP PROCEDURE IF EXISTS t_odbcoutparams");
   OK_SIMPLE_STMT(Stmt, "CREATE PROCEDURE t_odbcoutparams("
@@ -1006,8 +1008,6 @@ ODBC_TEST(t_odbcoutparams)
                 "  SET p_in = p_in*10, p_out = (p_in+p_inout)*10, p_inout = p_inout*10; "
                 "END");
 
-
-
   for (i=0; i < sizeof(par)/sizeof(SQLINTEGER); ++i)
   {
     CHECK_STMT_RC(Stmt, SQLBindParameter(Stmt, i+1, type[i], SQL_C_LONG, SQL_INTEGER, 0,
@@ -1024,8 +1024,12 @@ ODBC_TEST(t_odbcoutparams)
   
   /* Only 1 row always - we still can get them as a result */
   CHECK_STMT_RC(Stmt, SQLFetch(Stmt));
+  EXPECT_STMT(Stmt, SQLGetData(Stmt, 133, SQL_C_DOUBLE, &dummy, sizeof(dummy), NULL), SQL_ERROR);
+  CHECK_SQLSTATE(Stmt, "07009");
   is_num(my_fetch_int(Stmt, 1), 1300);
   is_num(my_fetch_int(Stmt, 2), 300);
+  EXPECT_STMT(Stmt, SQLGetData(Stmt, 3, SQL_C_DOUBLE, &dummy, sizeof(dummy), NULL), SQL_ERROR);
+  CHECK_SQLSTATE(Stmt, "07009");
   FAIL_IF(SQLFetch(Stmt) != SQL_NO_DATA_FOUND, "eof expected");
 
   CHECK_STMT_RC(Stmt, SQLFreeStmt(Stmt, SQL_CLOSE));
@@ -1727,7 +1731,7 @@ MA_ODBC_TESTS my_tests[]=
   {t_bug49029, "t_bug49029"},
   {t_bug56804, "t_bug56804"},
   {t_bug59772, "t_bug59772"},
-  {t_odbcoutparams, "t_odbcoutparams"},
+  {t_odbcoutparams, "t_odbcoutparams-with_odbc-479"},
   {t_bug14501952, "t_bug14501952"},
   {t_bug14563386, "t_bug14563386"},
   {t_bug14551229, "t_bug14551229"},

Original file line number	Diff line number	Diff line change
`@@ -2989,8 +2989,7 @@ SQLRETURN MADB_StmtGetData(SQLHSTMT StatementHandle,`
`2989`	`2989`	`IrdRec= MADB_DescGetInternalRecord(Stmt->Ird, Offset, MADB_DESC_READ);`
`2990`	`2990`	`if (!IrdRec)`
`2991`	`2991`	`{`
`2992`		`- MADB_SetError(&Stmt->Error, MADB_ERR_07009, NULL, 0);`
`2993`		`- return Stmt->Error.ReturnValue;`
	`2992`	`+ return MADB_SetError(&Stmt->Error, MADB_ERR_07009, NULL, 0);`
`2994`	`2993`	`}`
`2995`	`2994`
`2996`	`2995`	`switch (TargetType) {`